Windows 10: Windows 10 AlwaysOn VPN & DNS registration/resolution

Hi there,

I'm setting up AlwaysOn VPN device tunnel with split tunnelling.

All clients are Windows 10 Enterprise 1909, RRAS servers are Windows Server 2019 Standard.

XML profile is push through Microsoft Endpoint Management custom configuration profile.

By custom profile I setted up NRPT to manage my split-brain DNS internal and public domain are the same because need to some service are resolved out of the vpn tunnel.

Following documentation, I declared fqdn of out-of-tunnel services without specifying reference dns server.

Due to new Windows 10 dns client request handling, this scenario got the request for out-of-tunnel request are resolved by vpn adapter dns servers, so via vpn tunnel...

I tryed to remove vpn adapter dns servers, in this case NRPT works well but remote client don't register on onpremises dns itself.

The only workaround I found is to specify public dns servers for out-of-tunnel services in NRPT. This address the issue but it is IMHO not raccomandable due to possibly restriction to external name resolution on managed networks.


Does anyone got my problem and found any simple-secure-scalable solution?


Many thanks!

Regards,

FF

:)

 

Win 10: DNS resolution of remote network via VPN connection not working

Changing the metric worked for me, but my situation was a little different:

DNS resolution with my VPN had been working flawlessly with Win10 (first with Preview, then with RTM, always kept up-to-date) using Dell SonicWALL NetExtender (currently version 7.5.223)

Then this morning DNS resolution with my VPN stopped working suddenly. I hadn't explicitly made any changes or installed any updates or software. Perhaps an automatic update broke things.

Though the VPN still connected fine, and though the interface binding order HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Linkage\Bind was properly updated on connection of the VPN (i.e. the VPN's interface was added to the top of the list),
NSLOOKUP would use my LAN's DNS servers rather than the VPN's DNS servers. The VPN client was however showing properly-configured DNS servers.

In my case I was unable to open TCP/IPv4 properties for the "SonicWALL NetExtender" interface: the "Properties" button was displayed as being active, but clicking on it did nothing / did not open a properties dialog.

So instead I went to TCP/IPv4 properties for my Ethernet interface, clicked Advanced, and unchecked "Automatic metric", and assigned an arbitrary metric of 100.

After doing this DNS resolution once again works properly: When the VPN is connected the VPN interface's DNS servers are used. When the VPN is not connected, the Ethernet interface's DNS servers are used.

 

Windows 10 DNS leak

Sorry if this has been addressed previously but on moving to W10 I've noticed my VPN (Freedome) no longer is sufficient to stop DNS leaks. I know it's to do with the parallel DNS resolution nature of W10 but I'd like to know what VPN works with W10 to prevent DNS leaks and/or if someone can take me through the process of using an Open VPN based config.

I tried installing Open VPN but my knowledge base on that front is too minimal and I get quickly lost.

Any ideas?

Or do I just get an Open VPN based product and insert the fix-dns-leak.dll from ValdikSS?

 

Win 10: DNS resolution of remote network via VPN connection not working

I can confirm that I also have the issue. To resume:

- Windows VPN does not try to resolve hostnames with the remote DNS, with or without split-tunneling enabled. It always uses the DNS defined on the local network card.

- Issue is new to Windows 10, Windows 8.1 was working correctly with the exact same VPN configuration.

- Split-tunneling has nothing to do with the issue as the local DNS setting is used in both scenarios to resolve hostnames which is wrong. Hostnames should be resolved by the remote DNS. By the way, there is a bug in the VPN GUI of Win 10, it is not possible
to access the dialog to change the split-tunneling configuration. It can only be done through PowerShell.

- Even if IPV6 might be involved in the issue, I have never touched the default IPV6 config under Win 8.1 and DNS always worked correctly. It should be the same with Win 10.

- With nslookup we can clearly see that it uses the DNS of the NIC and not the one pushed by the VPN. nslookup under Win 8.1 uses the VPN defined DNS.

Microsoft, please address this issue as this is a showstopper for enterprises using the integrated Windows VPN. It is broken!

UPDATE 1: problem is actually a bit different than what I thought, DNS resolution works IF you don't use the FQDN of the internal machine you want to reach. The funny thing is that "ping mymachine" will return as a result "mymachine.mycompany.com".
But trying to ping "mymachine.mycompany.com" does not resolve since it uses the locally defined DNS. So the problem is with the DNS filter, it does not use the DNS suffix search list to decide where the DNS query should be sent.

UPDATE 2: problem is not specific to Windows VPN, SonicWALL NetExtender VPN has the same issue. So it's the DNS resolver which is common to all VPNs that has the issue.

UPDATE 3: DirectAccess is also not working, also seems related to the DNS issue. Looking at the DirectAccess Troubleshooter log there are various unresolved hostname errors.